Krebs on Security

In-depth security news and investigation

Spoofing the Boss Turns Thieves a Tidy Profit

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

Until it did. After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.

By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, the bank hadn’t yet processed the wire, and they were able to claw back the funds.

“Judy” is a pseudonym; she asked to remain anonymous so as not to further embarrass herself or her employer. But for every close call like Judy’s there are many more small businesses each week that fall for these scams and lose millions in the process.

Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies — The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office. The message was made to appear as though it was a conversation between the CFO and the CEO, in which the CEO told the CFO that money needed to be wired to China.

“$315,000 is definitely a high amount, but I did a transaction for $1.4 million before, and I wire money to China for goods that we buy from there,” she said. “But truly, the email did bother me. It didn’t feel quite right when it came in, but at no point did I think, ‘this is someone imitating the boss.'”

After sending a co-worker in finance instructions to execute the wire transfer, Judy sent a note to the CFO asking if she should also notify the CEO that the wire had been sent. When the response came back in wording she couldn’t imagine the CFO putting in writing, she studied the forwarded email more closely. Sure enough, Judy discovered the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name.

Working with investigators, the company determined that the fraudsters had registered the phony domain and associated email account with Vistaprint, which offers a free one-month trial for companies looking to quickly set up a Web site.

“Turns out the scammers set up the domain and email address that morning, the same day as wire request,” Judy said. “When that email came through, the difference didn’t jump out at me. In hindsight, it blows my mind that it doesn’t bother me more than it did. But in the hustle and bustle of the day, I was not on guard for something like this. Now, I’m second-guessing everything.”

Judy’s employer now has a mandatory policy about wire transfers:

“First of all, anytime there is a large wire or payment to make, we have to speak in person, whether that’s face-to-face, or in person on phone,” she said.

In other words, no more initiating large wire transfers because someone asked you to via email. It’s remarkable how much global trade is done via email, and how often both parties to the transaction are oblivious to or willfully ignorant of the fact that email is inherently insecure. More remarkable still, this form of fraud occurs in a channel where the victim’s bank has virtually no visibility.

The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

This entry was posted on Tuesday, March 10th, 2015 at 9:34 am and is filed under Latest Warnings, Other, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

68 comments

It sounds like the attacker may have captured some e-mail from within the organization. That should also be a red flag that triggers at least a basic forensics analysis of the situation to potentially uncover malware, breach, poor practices (sync’ing business e-mail on home computers), etc.

We caught a similar scam last summer. The domain was one letter away from ours and the the scammers used VistaPrint to set up shop. Their email started coming in minutes after the domain was registered. I contacted Tucows, the domain registrar. After a few days someone from their compliance department told me the domain was suspended. After seeing this article and checked and it’s back. I just sent a very professional inquiry questioning this from my corporate email account. You can only imagine what I’d really like to “suggest” to them. 🙂

@Harry, just some friendly advise, do not ever contact hackers especially from your work email you are only inviting trouble. If you piss them off and they take down your site and it comes back to you, what do you think is going to happen?

This story further illustrates the epidemic of mass stupidity in the virtually universal use of insecure (unencrypted) email. Why on Earth would people NOT care about secure messaging? It has never made any sense to me.

I would never even think of trusting a request for funds that was not accompanied by an identity-trusted signature on an encrypted message. Yet, apparently people do business via unsigned, unencrypted email all the time.

Within our organization, signed & encrypted messages are an absolute requirement. Sure…it’s not foolproof. But the bad guys would have a much tougher time pulling off scams like this if companies required secure messaging as a standard policy.

– CEO/CFO: Dumb enough to authorized such a bad process to be used.
– Employee: Dumb enough not to validate at least by phone that the request for transfer is legit: we’re talking about thousand of dollars!!!
– IT staff: Dumb enough not to give them a proper tool/process/solution to encrypt & sign their email.

I was literally just reading a blog post about ransonware targeting companies and law and accounting firms when one came in on my system!

It’s a nasty little crypto-nuisance called HELP_DECRYPT, and the language is scary enough to make you do something silly. Don’t.

It dumps useless files on your computer with .url, .png, .txt. and .html files. In my case, over 5000 files. I almost had a heart attack and could not figure out why my security software hadn’t caught it. They scanned as “No Threat” on the latest premium, business version of AVG.

The files themselves are “harmless” if you count having to clean out digital slime as harmless. But, apparently perceived as harmless by my premium, top notch, bug zapper. It came in during the few hours I turned off my internet security software to upgrade. Mistake!

It came in on a trojan that my bug zapper found on a scan, but the files had either already gotten dumped or multiplied inside.

Just look for: HELP_DECRYPT.txt, .png, .html, and .url and dump them all!